The UK's Online Safety Act (OSA) 2023, which became law on 26 October 2023, imposes extensive new obligations on certain types of online service providers, requiring them to protect their users by identifying, mitigating, and managing risks relating to illegal and harmful content. The OSA applies to certain service providers wherever they are located, as long as they have "links" to the UK – meaning that they have a significant number of UK users, the UK forms one of their target markets, or the service is capable of being used in the UK and there are reasonable grounds to believe that there is a material risk of significant harm to UK individuals presented by content associated with the service. Due to its extraterritorial reach, the OSA is expected to regulate approximately 100,000 organisations worldwide.

However, the full implementation of the OSA will not be immediate. Ofcom, the UK's communications regulator, has set out a phased implementation plan that is expected to span about three years, allowing in-scope providers time to adjust to and comply with their new obligations. Ofcom's first consultation with affected services, regarding 'illegal harms', has already opened and will close on 23 February 2024. Its second consultation, on child safety, is due to open before the end of 2023.

Ofcom is responsible for enforcing the regime and is in the process of publishing guidance and codes of practice. The OSA provides several enforcement mechanisms and powers against companies, including (but not limited to):

  • Fines, which may be up to £18 million or 10% of worldwide revenue (whichever is higher).
  • Service restriction orders. Ofcom may apply to the court for a service restriction order requiring ancillary services (e.g., payments providers) to withdraw their services.
  • Powers of entry, inspection and audit. Ofcom will have powers of entry and inspection, including without a warrant in certain circumstances (but with seven days' notice).
  • Notices to deal with terrorism or CSEA content (or both). Ofcom may require services to use accredited technology to identify and swiftly take down CSEA content and/or identify and swiftly secure terrorism content. Ofcom also may require services to use their 'best endeavours' to develop or source technology to satisfy such a notice.

Under certain circumstances, senior managers could also face criminal prosecution.

Our November 2023 Cooley client alert tackled the OSA in more depth, including the following topics:

  1. The types of services that are subject to the OSA.
  2. The law's impact on in-scope services, including obligations and duties of care.
  3. Key practical implications for in-scope services.
  4. Enforcement by Ofcom, including fines and service restriction orders.
  5. Compliance tips.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.